b'      U.S. DEPARTMENT OF COMMERCE\n                Office of Inspector General\n\xc2\xa0\n\n\xc2\xa0\n\n\n\n               United States Patent\n              and Trademark Office\n\n\n    FY 2009 FISMA Assessment of the\n          Patent Cooperation Treaty\n         Search Recordation System\n                     (PTOC-018-00)\n\n      Final Inspection Report No. OAE-19731\n                               November 2009\n\n\n\n\n                  Office of Audit and Evaluation\n\x0c                                                  UNITED STATES DEPARTMENT OF COMMERCE\n                                                  Office of Inspector General\n                                                  Washington. D.C. 20230\n\n\n\n\nNOVEMBER   20, 2009\n\nMEMORANDUM FOR:       David Kappos\n                      Under Secretary of Commerce for Intellectual Property and\n                      Director of the United States Patent and Trademark Office\n\n\n\nFROM:                 Allen Crawley\n                      Assistant Inspector General for Systems Acquisition and\n                      IT Security\n\nSUBJECT:              United States Patent and Trademark Office (USPTO)\n                      FY 2009 FISMA EvaltLGtion of Patent Cooperation Treaty\n                      Search Recordation System (PTOC-018-00)\n                      Final Report No. OAE-19731\n\nAttached please find a copy of our report on the results of our evaluation of the\nPatent Cooperation Treaty Search Recordation System (PCTSRS). We evaluated\ncertification and accreditation activities for PCTSRS as part of our responsibilities\nunder the Federal Information Security Management Act (FISMA).\nWe found only minor deficiencies with the system\'s certification and accreditation,\nand continuous monitoring. Likewise, our evaluation of the system\'s security\ncontrols found only minor deficiencies. However, we did not perform a previously\nscheduled on-site assessment, which would have provided greater assurance of the\ncontrols\' effectiveness, because it was too close to our FISMA reporting deadline.\nYour October 29, 2009, response to our draft report agreed with our findings and\nrecommendations. In our report, we summarize and comment on your response and\nhave included it in its entirety as appendix B.\nPlease submit to us an action plan within 60 calendar days from the date of this\nmemorandum-this should be in the form of a plan of action and milestones as\nrequired by FISMA.\nWe appreciate the cooperation and courtesies extended to us by your staff during\nour evaluation. If you would like to discuss any of the issues raised in this report,\nplease call me at (202) 482-1855.\n\x0c\xc2\xa0\n\n\nAttachment\n\ncc:   Suzanne Hilding, Chief Information Officer, U.S. Department of Commerce\n      Margaret A. Focarino, acting commissioner for patents, USPTO\n      John B. Owens II, chief information officer, USPTO\n      Rod Turk, director, office of policy and governance, USPTO\n      Welton Lloyd, USPTO audit liaison\n\x0c                                  Report In Brief\n                                       U.S. Department of Commerce, Office of Inspector General\n                                                           November 2009\n\nWhy We Did This Review United States Patent and Trademark Office (USPTO)\nThe Federal Information\nSecurity Management Act of          FY 2009 FISMA Assessment of the Patent Cooperation\n2002 (FISMA) requires federal\nagencies to identify and provide\n                                   Treaty Search Recordation System (OAE-19731)\nsecurity protection of informa-\ntion collected or maintained by What We Found\nit or on its behalf. Inspectors\ngeneral are required to annually\n                                   Our objectives for this review were to determine whether (1) implemented con-\nevaluate agencies\xe2\x80\x99 information\n                                   trols adequately protect the system and its information, (2) continuous monitor-\nsecurity programs and practices.\n                                   ing is keeping the authorizing official sufficiently informed about the operational\nSuch evaluations must include\n                                   status and effectiveness of security controls, and (3) the certification and accredi-\ntesting of a representative subset\n                                   tation (C&A) process produced sufficient information about remaining system\nof systems and an assessment,\n                                   vulnerabilities to enable the authorizing official to make a credible, risk-based\nbased on that testing, of the\n                                   accreditation decision.\nentity\xe2\x80\x99s compliance with FISMA\nand applicable requirements.\n                                     Although we found minor deficiencies with PCTSRS\xe2\x80\x99 C&A activities, USPTO\xe2\x80\x99s\n                                     C&A process produced sufficient information to enable the authorizing officials\nThis review covers our evalu-\n                                     to make a credible, risk-based accreditation decision. Our evaluation of the sys-\nation of USPTO\xe2\x80\x99s PCTSRS,\n                                     tem\xe2\x80\x99s security controls also found only minor deficiencies.\nwhich is one of a sample of sys-\ntems we assessed in FY 2009.\n\n\n\n\nBackground\nPCTSRS is a contractor-owned\nsystem that provides services\nrelated to international patent\napplications. The contractor\xe2\x80\x99s       What We Recommend\nemployees use the system to\nperform searches and submit\nwritten opinions regarding the       In order to ensure PCTSRS complies with FISMA requirements, USPTO should\npatentability of inventions.         resolve the minor deficiencies we reported in our assessment. USPTO agrees\n                                     with our findings, and has begun to take steps to implement our recommenda-\nC&A is a process by which            tions.\nsecurity controls for IT sys-\ntems are assessed to determine\ntheir overall effectiveness.\nUnderstanding the remaining\nvulnerabilities identified during\nthe assessment is essential in\ndetermining the risk to the orga-\nnization\xe2\x80\x99s operations and assets,\nto individuals, to other organiza-\ntions, and to the nation resulting\nfrom the use of the system.\n\x0cU.S. Department of Commerce                                                                        Final Report OAE-19731\nOffice of Inspector General                                                                                  November 2009\n\n\n                                                        Contents\n\nIntroduction ................................................................................................................... 1\nFindings and Recommendations ................................................................................... 3\nI.        Certification and Accreditation Process Included Minor Deficiencies .............. 3\n       A. Boundary Definition and System Component Inventory................................ 3\n       B. Security Plan Deficiencies ................................................................................ 3\nII.       Minor Deficiencies Identified in System Security Controls ............................... 4\n       A. Configuration Settings (CM-6) ......................................................................... 4\n       B. Baseline Configuration (CM-2) ........................................................................ 5\nIII.      Continuous Monitoring Is Keeping Authorizing Officials Sufficiently\n          Informed, with a Minor Exception ...................................................................... 6\n       A. Vulnerability Remediation and POA&M Validation ...................................... 6\nRecommendations .......................................................................................................... 7\nSummary of USPTO Response and OIG Comments .................................................... 8\nAppendix A: Objectives, Scope, and Methodology ........................................................ 9\nAppendix B: USPTO Response .................................................................................... 12\n\x0cU.S. Department of Commerce                                        Final Report OAE-19731\nOffice of Inspector General                                                  November 2009\n\n\n                                    Introduction\nWe evaluated certification and accreditation activities for the Patent Cooperation\nTreaty Search Recordation System (PCTSRS) as part of our FY 2009\nresponsibilities for conducting independent evaluations under the Federal\nInformation Security Management Act (FISMA). For a complete outline of our\nobjectives, scope, and methodology, see appendix A.\nPCTSRS is owned and operated by Cardinal IP, a U.S. Patent and Trademark\nOffice (USPTO) contractor that provides services related to international patent\napplications. Cardinal employees use the system to perform searches and submit\nwritten opinions regarding the patentability of inventions.\nAn application filed with USPTO under the Patent Cooperation Treaty is\ntransmitted to a PCTSRS batch server via a secure connection. Cardinal staffers\nthen transfer the application to PCTSRS\xe2\x80\x99 web docket system and assign an\nappropriate search professional to work on it. The search professional remotely\naccesses the \xe2\x80\x9ccase\xe2\x80\x9d from her own computer via a secure remote desktop application,\nwhich includes controls to prevent the transfer of patent data to her local disk drive.\nCardinal then transfers the search professional\'s written opinion in its web docket\nsystem back to USPTO via a batch server and secure connection.\nBased on the intellectual property protection information it contains, PCTSRS is\ncategorized\n\nPCTSRS is located at Cardinal IP\'s\n                                 . The system, which went operational in October\n2006, underwent its first security certification in 2008 and was granted an interim\nauthorization to operate in September 2008. Cardinal and USPTO\'s Information\nTechnology Security Management Group then devised a recertification plan to\nassess only the controls from the previous assessment that were deemed high risk,\nthat had been changed since the previous assessment, or that were identified by\nUSPTO\'s independent verification and validation (IV&V) contractor (after the\ninterim authorization to operate was granted) as needing better assessment.\nControls were assessed by a certification team from Veris Group, a contractor for\nCardinal IP. The initial scope of 68 controls was later expanded to include all\nphysical and environmental controls pertaining to the             datacenter, which\nhad not been assessed in 2008. This time, the IV&V contractor reviewed the\nrecertification and accreditation package before the accreditation decision was\nmade. The contractor\xe2\x80\x99s review helped improve the security plan and documentation\nof the control assessment.\nIn late May 2009, the acting commissioner for patents and the chief information\nofficer\xe2\x80\x94co-authorizing officials\xe2\x80\x94granted an authorization to operate. In the\naccreditation decision letter, the officials noted that vulnerabilities in Configuration\n\n\n\n\xc2\xa0                                          1                                      \xc2\xa0\n\x0cU.S. Department of Commerce                                                           Final Report OAE-19731\nOffice of Inspector General                                                                     November 2009\n\n\nSettings (CM-6) and Flaw Remediation (SI-2)1 were \xe2\x80\x9ca concern\xe2\x80\x9d and directed\nCardinal "to immediately begin the remediation efforts for these vulnerabilities and\ncomplete implementation as soon as possible, but no later than 90 days after the\ndate of this [authorization to operate]. Additionally, the contractor shall provide bi-\nweekly status reports toward remediation of these vulnerabilities."2\n\n\n\n\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n1\n  \xe2\x80\x9cCM-6,\xe2\x80\x9d \xe2\x80\x9cSI-2\xe2\x80\x9d and other similarly formatted notations are security control identifiers from NIST SP 800-53,\nRecommended Security Controls for Federal Information Systems. We include the name of the control at the first\nmention in the report and use the identifier thereafter.\n2\n  Owens, John B. II, and Margaret A. Focarino. May 7, 2009. Security Certification Statement for the Patent\nCooperation Treaty Search Recordation System. Memorandum to Blaine Copenheaver, USPTO, and Rod Turk,\nUSPTO.\n\n\n\xc2\xa0                                                              2                                        \xc2\xa0\n\x0cU.S. Department of Commerce                                                               Final Report OAE-19731\nOffice of Inspector General                                                                         November 2009\n\n\n                                                   Findings and Recommendations\n    I.        Certification and Accreditation Process Included Minor Deficiencies\n\nAlthough we found deficiencies with PCTSRS\xe2\x80\x99 certification and accreditation\nactivities, USPTO\xe2\x80\x99s process for certifying contractor systems produced sufficient\ninformation to enable the co-authorizing officials to make a credible, risk-based\naccreditation decision.\n\n       A. Boundary Definition and System Component Inventory\nThe system accreditation boundary definition was not updated for two key classes of\ncomponents:                                                                 The\nsystem boundary document described four           components\n         ) in PCTSRS. Also, a spreadsheet presented as the system\'s component\ninventory and referred to in the initiation-phase security plan did not mention any\n      components. However, we learned there are actually 12           components\nconsidered to transmit PCTSRS data: in addition to the 4 mentioned in the system\nboundary definition, there are 8 other          . This deficiency did not detract from\nthe control assessment, as all 12 were assessed for compliance with secure\nconfiguration settings.\n                   and a                       were included in the information\nsystem component inventory presented in the certification and accreditation\npackage and in a second list used by the certification team to validate the\nInformation System Component Inventory (CM-8) security control. These\ncomponents were scanned for vulnerabilities, but no additional assessments were\nconducted by the certification team. Cardinal staff told us these components do not\nprocess, store, or transmit PCTSRS data; therefore, the components are considered\nto be out of scope. We did not perform an on-site assessment to validate that this\nwas the case. Cardinal staff told us they intend to revise CM-8 documentation to\nreflect the fact that these        are not within the scope of the system\xe2\x80\x99s boundary.\n       B. Security Plan Deficiencies\nThe post-certification security plan3 indicates that the "details of the [information\nsystem component] inventory are documented in this [system security plan],\xe2\x80\x9d and\nthat Cardinal "updates the PCTSRS inventory as an integral part of system\nmanagement."4 However, the CM-8 issues discussed above suggest otherwise, and\nCardinal staff conceded that the evidence they provided to the certification team for\nCM-8 was outdated. The security plan and related procedures for CM-8 did not\nprovide any details as to how the component inventory was maintained or what\ninformation it contained, nor a reference to the actual inventory itself. The\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n3\n  We reviewed version 2.6 of the system security plan, which was the basis for the accreditation decision. Late in our\nevaluation, we were given version 3.0 (dated July 16, 2009) of the security plan and found the same deficiencies.\n4\n  U.S. Patent and Trademark Office, April 16, 2009. Cardinal Intellectual Property (CIP) Patent Cooperation\nTreaty Search Recordation System (PCTSRS) System Security Plan (SSP), Version 2.6, 69-70.\n\n\n\xc2\xa0                                                               3                                           \xc2\xa0\n\x0cU.S. Department of Commerce                                      Final Report OAE-19731\nOffice of Inspector General                                                November 2009\n\n\ndescriptions amounted to mere assertions that the control requirements were being\nmet.\nWe noted a discrepancy between the parameters for Unsuccessful Login Attempts\n(AC-7) described in the security plan and the                       for PCTSRS\nthat was included in the control assessment artifacts. The security plan stated that\n\n\n                                                                     . AC-7 was not\nassessed for the 2009 recertification, so this discrepancy was not addressed by the\ncertification team. However, Cardinal staff confirmed our conclusion that the\nchange was the result of implementing secure configuration settings in\nenvironments.\nAccount Management (AC-2), enhancement 4, requires the organization to employ\nautomated mechanisms to audit account creation, modification, disabling, and\ntermination. However, the PCTSRS security plan descriptions of mechanisms for\nthe various component types do not address auditing capabilities.\n\n\n    II.   Minor Deficiencies Identified in System Security Controls\n\nWe identified only minor control deficiencies in our review of system artifacts and\ninterviews of contractor staff.\n\n      A. Configuration Settings (CM-6)\nSecure configuration settings were not defined prior to the control assessment, but\nthe eventual benchmarks were identified and settings examined on\n                                                                . The certification\nteam concluded CM-6 was "other than satisfied," discussed the vulnerability in the\nsecurity assessment report, and added CM-6 to the system\'s plan of action and\nmilestones (POA&M). Cardinal has now defined secure configuration settings for\n\n                       .\nSecure configuration settings defined for     components are included in PCTSRS\'\n                Standards. Unlike the other configuration settings defined for IT\nproducts mentioned above, this document does not compare PCTSRS\' defined\nsettings to industry benchmark settings. While there is overlap with the industry\nbenchmark, not all recommended settings were addressed\xe2\x80\x94a particular concern\ninvolves\n\nCardinal has recently submitted evidence to USPTO\'s IT security management\ngroup in support of closing the POA&M for CM-6. USPTO\'s IV&V contractor is\ncurrently evaluating the evidence for completeness. However, we found no evidence\nthat       devices were compliant with PCTSRS\xe2\x80\x99 defined settings. The certification\n\n\n\xc2\xa0                                         4                                     \xc2\xa0\n\x0cU.S. Department of Commerce                                                         Final Report OAE-19731\nOffice of Inspector General                                                                   November 2009\n\n\nteam noted in its assessment of CM-6 that "benchmark tests conducted against\n                                                           [emphasis added]\nconfirmed that system configuration settings are not compliant with the [industry]\nbenchmark standard.\xe2\x80\x9d\n       B. Baseline Configuration (CM-2)\nThe requirements for this control were at least partially confused with the\nrequirements for Configuration Settings (CM-6) in the initiation, security\ncertification, and accreditation phases. As a result, the control requirements are not\nbeing properly remediated in the (current) continuous monitoring phase.\nThe security plan, the control assessment, and the security assessment report all\nindicated that, with respect to CM-2 requirements, Cardinal IP administrators were\nin the process of implementing secure configuration settings (i.e., CM-6) based on\nindustry benchmarks. The Cardinal Intellectual Property Security Control\nProcedures for CM-2 further discussed CM-6 requirements rather than what was\nneeded for the system\xe2\x80\x99s baseline configuration. Although the control was deemed\n\xe2\x80\x9cother than satisfied,\xe2\x80\x9d the certification team\xe2\x80\x99s evidence for this status was a\nUSPTO memo addressing secure configuration settings, which again falls under\nCM-6 requirements.\nCurrently, Cardinal has submitted a request to close the CM-2-related POA&M\nitem along with the CM-6 POA&M item. However, only compliance scans validating\nsecure configuration settings were submitted as proof of the control\xe2\x80\x99s remediation.\nAs explained in NIST SP 800-53, Recommended Security Controls for Federal\nInformation Systems,\n\n              [CM-2] establishes a baseline configuration for the information system.\n              The baseline configuration provides information about a particular\n              component\xe2\x80\x99s makeup (e.g., the standard software load for a\n              workstation or notebook computer including updated patch\n              information) and the component\xe2\x80\x99s logical placement within the\n              information system architecture.5\n\nWe reviewed two reports prepared by Cardinal that detail the applications installed\nin workstations. The information in the reports would partially satisfy CM-2\nrequirements for those components.\n\n\n\n\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n5\n NIST Special Publication 800-53, Revision 2, Recommended Security Controls for Federal Information Systems,\nF-24.\n\n\n\xc2\xa0                                                              5                                     \xc2\xa0\n\x0cU.S. Department of Commerce                                       Final Report OAE-19731\nOffice of Inspector General                                                 November 2009\n\n\nIII.   Continuous Monitoring Is Keeping Authorizing Officials Sufficiently\n       Informed, with a Minor Exception\n\nContinuous monitoring\xe2\x80\x94with respect to configuration management and the USPTO\nPOA&M process\xe2\x80\x94does appear to be keeping the authorizing officials sufficiently\ninformed about the operational status and effectiveness of security controls,\nalthough minor deficiencies should be remediated.\nCardinal has made considerable progress made towards implementing CM-6 and\nSI-2, and has provided bi-weekly status updates to USPTO in accordance with the\nauthorizing officials\xe2\x80\x99 directive. However, we did note a deficiency in the remediation\nof SI-2 vulnerabilities.\n    A. Vulnerability Remediation and POA&M Validation\nUSPTO closed the SI-2 weakness in the system\xe2\x80\x99s POA&M without properly\nvalidating that vulnerabilities had been fully remediated. We reviewed the notes\nand artifacts supporting the closing of a POA&M item that stemmed from the\ncertification team\'s assessment of SI-2. Both the explanation for closing the\nPOA&M item and the artifacts included as evidence of the vulnerabilities\'\nremediation referred to workstations only, not to servers.\nHowever, the vulnerabilities identified by the certification team pertained to both\nworkstations and servers (from the certification team\xe2\x80\x99s assessment): \xe2\x80\x9cAlthough the\n           server and          workstation environments are patched, outdated and\ninsecure versions of third party software were detected throughout the environment\n[emphasis added]. Most notably, vulnerabilities were associated with outdated\ninstallations of                                   .\xe2\x80\x9d The evidence for SI-2\nassessment pointed to findings from vulnerability scans. A sorting of scan results\nindicates 297 high- or medium-risk findings (184 high) related to SI-2 for\nservers.\nAfter we discussed this deficiency with USPTO and Cardinal staff, they produced\narchived emails with attached evidence that Cardinal had fixed the server\nvulnerabilities. However, USPTO did not follow its own procedures and include the\nevidence in the POA&M record; based on the notes supporting the closing of the\nSI-2 POA&M item, USPTO\xe2\x80\x99s validation pertained to workstations only.\n\n\n\n\n\xc2\xa0                                         6                                      \xc2\xa0\n\x0cU.S. Department of Commerce                                        Final Report OAE-19731\nOffice of Inspector General                                                  November 2009\n\n\nRecommendations\n\nUSPTO should\n    1. review the information system component inventory and update it in\n       accordance with the requirements of USPTO policy and NIST SP 800-53;\n    2. correct the security plan deficiencies (including related security control\n       procedures) with accurate and complete information;\n    3. revise the PCTSRS mandatory configuration settings for           components to\n       address the deficiencies described above;\n    4. revise the security plan description for CM-2 and remediate the POA&M item\n       in accordance with the actual control requirements; and\n    5. reopen the SI-2 POA&M item until evidence of remediation of outdated\n       software on server components is validated in accordance with USPTO\n       procedure.\n\n\n\xc2\xa0\n\n\n\n\n\xc2\xa0                                          7                                        \xc2\xa0\n\x0cU.S. Department of Commerce                                   Final Report OAE-19731\nOffice of Inspector General                                             November 2009\n\n\n             Summary of USPTO Response and OIG Comments\n\nIn response to our draft report, USPTO agreed with our findings and\nrecommendations. USPTO also described actions it intends to take to remediate the\ndeficiencies\xe2\x80\x94these were consistent with our recommendations. USPTO\xe2\x80\x99s response\nis included in this report as appendix B.\n\n\n\n\n\xc2\xa0                                       8                                    \xc2\xa0\n\x0cU.S. Department of Commerce                                        Final Report OAE-19731\nOffice of Inspector General                                                  November 2009\n\n\nAppendix A: Objectives, Scope, and Methodology\n\nOur objectives were to determine whether (1) implemented controls adequately\nprotect the system and its information, (2) continuous monitoring is keeping the\nauthorizing official sufficiently informed about the operational status and\neffectiveness of security controls, and (3) the certification and accreditation process\nproduced sufficient information about remaining system vulnerabilities to enable\nthe authorizing official to make a credible, risk-based accreditation decision.\n\n\n\nSecurity certification and accreditation packages contain three elements, which\nform the basis of an authorizing official\xe2\x80\x99s decision to accredit a system:\n\n    \xe2\x80\xa2   The system security plan describes the system, the requirements for\n        security controls, and the details of how the requirements are being met. The\n        security plan provides a basis for assessing security controls and also\n        includes other documents such as the system risk assessment and\n        contingency plan, per Department policy.\n\n    \xe2\x80\xa2   The security assessment report presents the results of the security\n        assessment and recommendations for correcting control deficiencies or\n        mitigating identified vulnerabilities. This report is prepared by the\n        certification agent.\n\n    \xe2\x80\xa2   The plan of action & milestones (POA&M) is based on the results of the\n        security assessment. It documents actions taken or planned to address\n        remaining vulnerabilities in the system.\n\nThe Department\xe2\x80\x99s IT Security Program Policy and Minimum Implementation\nStandards requires that certification and accreditation packages contain a\ncertification documentation package of supporting evidence of the adequacy of the\nsecurity assessment. Two important components of this documentation are\n\n    \xe2\x80\xa2   the certification test plan, which documents the scope and procedures for\n        testing (assessing) the system\xe2\x80\x99s ability to meet control requirements; and\n\n    \xe2\x80\xa2   the certification test results, which is the raw data collected during the\n        assessment.\n\nTo evaluate the certification and accreditation, we reviewed all components of the\ncertification and accreditation package and interviewed USPTO and Cardinal staff\nto clarify any apparent omissions or discrepancies in the documentation and gain\nfurther insight on the extent of the security assessment. We evaluated the security\n\n\n\n\xc2\xa0                                          9                                      \xc2\xa0\n\x0cU.S. Department of Commerce                                      Final Report OAE-19731\nOffice of Inspector General                                                November 2009\n\n\nplan and assessment results for applicable security controls and will give\nsubstantial weight to the evidence that supports the rigor of the security\nassessment when reporting our findings to OMB.\nTo evaluate system security controls, we examined system artifacts included in the\npackage as well as additional information and evidence about controls we requested\nduring the course of our review. We also interviewed Cardinal and USPTO staff to\ngain further insight on the status of controls. Our FISMA reporting deadline caused\nus to cancel previously scheduled on-site assessments of PCTSRS controls, which we\nwould typically do and which we would weigh significantly when determining the\neffectiveness of system security controls.\nTo evaluate continuous monitoring, we conducted interviews and examined\ncorrespondence and other information exchanged between Cardinal and USPTO\nsince the accreditation and the system\xe2\x80\x99s POA&M records.\nWe used the following review criteria:\n    \xe2\x80\xa2   Federal Information Security Management Act of 2002 (FISMA)\n\n    \xe2\x80\xa2   U.S. Department of Commerce IT Security Program Policy and Minimum\n        Implementation Standards, June 30, 2005\n\n    \xe2\x80\xa2   NIST Federal Information Processing Standards (FIPS)\n\n           o Publication 199, Standards for Security Categorization of Federal\n             Information and Information Systems\n\n           o Publication 200, Minimum Security Requirements for Federal\n             Information and Information Systems\n\n    \xe2\x80\xa2   NIST Special Publications:\n\n           o 800-18, Guide for Developing Security Plans for Information\n             Technology Systems\n\n           o 800-37, Guide for the Security Certification and Accreditation of\n             Federal Information Systems\n\n           o 800-53, Recommended Security Controls for Federal Information\n             Systems\n\n           o 800-53A, Guide for Assessing the Security Controls in Federal\n             Information Systems\n\n           o 800-70, Security Configuration Checklists Program for IT Products\n\n\n\n\n\xc2\xa0                                         10                                     \xc2\xa0\n\x0cU.S. Department of Commerce                                    Final Report OAE-19731\nOffice of Inspector General                                              November 2009\n\n\n           o 800-115, Technical Guide to Information Security Testing and\n             Assessment\n\nWe conducted our evaluation in accordance with the Inspector General Act of 1978,\nas amended, and the Quality Standards for Inspections (revised January 2005),\nissued by the President\xe2\x80\x99s Council on Integrity and Efficiency.\n\xc2\xa0\n\n\n\n\n\xc2\xa0                                       11                                    \xc2\xa0\n\x0cU.S. Department of Commerce        Final Report OAE-19731\nOffice of Inspector General                  November 2009\n\n\nAppendix B: USPTO Response\n\n\n\n\n\xc2\xa0                             12                  \xc2\xa0\n\x0cU.S. Department of Commerce        Final Report OAE-19731\nOffice of Inspector General                  November 2009\n\n\n\n\n\xc2\xa0\n\n\n\n\xc2\xa0                             13                  \xc2\xa0\n\x0cU.S. Department of Commerce        Final Report OAE-19731\nOffice of Inspector General                  November 2009\n\n\n\n\n\xc2\xa0                             14                  \xc2\xa0\n\x0c'